Think The GDPR Only Regulates Big Internet Companies? The EU Says It Regulates You Too.

from the another-threat-to-democratized-speech dept

People tend to think of the GDPR as regulation companies must comply with. But thanks to a decision by the Court of Appeals for the EU earlier this month, there's particular reason to believe that ordinary Internet users will need to worry about complying with it as well.

In this decision the court found that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of its visitors' data. And, as such, the administrator must comply with applicable data processing regulations – which necessarily include the GDPR.

The fan page at issue in this case appears to be run by some sort of enterprise, "Wirtschaftsakademie." But fan pages aren't always run by companies: as the court acknowledges, they are often run by individuals or small groups of individuals. Yet there doesn't appear to be anything in the ruling that would exempt them from its holding. Indeed, the court recognizes that its decision would inherently apply to them:

Fan pages are user accounts that can be set up on Facebook by individuals or businesses. To do so, the author of the fan page, after registering with Facebook, can use the platform designed by Facebook to introduce himself to the users of that social network and to persons visiting the fan page, and to post any kind of communication in the media and opinion market user data a processor of the data for visitors to its page, and thus jointly responsible with Facebook for its handling.

The problem is, compliance with data protection regulations like the GDPR is no simple matter. In fact, as this article suggests, the decision also potentially makes it even more complicated and expensive by expanding the jurisdiction of individual member states' data protection authorities (which was something that EU-wide regulation like the GDPR was actually supposed to minimize).

[Eduardo] Ustaran expressed concern in his 2017 post about the potential for local DPAs’ authority to issue decisions that affect companies located in other areas, in this case, Facebook, whose EU representative is in Ireland. He says that this goes against the letter of GDPR’s one-stop shop goal.

But even without this change to the GDPR's enforcement operation, the burdens of compliance were already a matter of concern. As discussed previously, compliance with the GDPR is difficult and expensive for even well-resourced companies. It's not something that individual Internet users are going to be able to easily manage, and that's a problem, because who would want to set up a Facebook fan page if doing so opened yourself up to such a crippling compliance burden?

Which leads to the essential problem here. Some cheer the GDPR because it puts user privacy front and center as a policy priority. In and of itself, there's nothing wrong with doing so – in fact, it's an idea whose time has come. But it doesn't matter how well-intentioned a law is if instead of merely regulating otherwise lawful activity it ends up suppressing it. And it's especially problematic when that activity is expressive. Even if chilling expression weren't the intent, if that's the effect, then there is something wrong with the regulation.

Furthermore, while it's bad enough if regulation chills the expressive activity of those well-resourced companies better able to navigate complex and costly compliance requirements, it's even worse if it chills the lawful and even desirable expressive activity of ordinary individuals. One of the things an Internet platform like Facebook does, and does well, is encourage the casual expression of ordinary people. If you have things to say, these platforms make it easy to say them to other people without you needing to invest in corporate structure or technical infrastructure before doing so. These are tools that help democratize expression, which ordinarily is something places claiming to value the principles of free expression should want to support. In fact, the more the antipathy against big companies, the more they should want to ensure that independent voices can thrive.

But instead we're seeing how all this regulation targeted at those big companies instead attacks regular people trying to speak online. We've seen the same problem with SESTA/FOSTA too, where individual online speakers suddenly find themselves risking legal liability for how they interact with other speakers online. And now it's happening again in the GDPR context, where the very regulation ostensibly intended to protect people online now threatens to silence them.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data controller, eu, fan pages, gdpr, privacy, social media
Companies: facebook


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    SirWired, 19 Jun 2018 @ 12:37pm

    What a #&*#$&#!! mess...

    I went through mandatory GDPR training a couple months ago, and it's come up several times in my job so far.

    The conclusion I've come to is that due to the massive ambiguity and strict requirements, compliance is pretty much completely impossible. Businesses should just resign themselves to the fact that if they annoy the EU or an individual EU government enough, they might be selected for a GDPR prosecution, which the company will almost surely lose.

    It's not a stretch to guess that the EU will favor non-EU companies for enforcement actions, preferably ones with large-enough EU operations that the company can't afford to just give 'em the finger and cease operating in the EU.

    link to this | view in chronology ]

    • icon
      :Lobo Santo (profile), 20 Jun 2018 @ 9:31am

      Re: What a #&*#$&#!! mess...

      One wonders at what point it becomes more economical to simply deny service to certain countries with overly silly laws...

      link to this | view in chronology ]

      • icon
        Bergman (profile), 20 Jun 2018 @ 7:49pm

        Re: Re: What a #&*#$&#!! mess...

        If we're not there already, the EU will no doubt pass another law soon that will cross the line. They seem determined to opt themselves out of the internet.

        link to this | view in chronology ]

    • icon
      btr1701 (profile), 21 Jun 2018 @ 1:04pm

      Re: What a #&*#$&#!! mess...

      This "GDPR regulates you too" stuff only applies to Europeans. If you're an American in Idaho running a fan page for Harry Potter and you have no physical presence in Europe, you do *not* have to abide by all this nonsense, especially considering a lot of it runs counter to the 1st Amendment protections enjoyed by Americans in America.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jun 2018 @ 1:08pm

    Maybe a stupid question

    If I were to put a disclaimer on my websites terms of service that specifically said that 'membership to this site is for non EU individuals'. Would that cover me from liability if a EU citizen signed up?

    This is not a theoretical question. We have a site that markets to very small geographic locations in the US. It would be very difficult, but not impossible for a EU citizen to sign up although it would not be possible for the EU citizen to receive any benefits from joining.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Jun 2018 @ 1:29pm

      Re: Maybe a stupid question

      This is not a theoretical question.

      You are strongly urged to retain the services of a competant attorney licensed in your jurisdiction in order to obtain professional advice tailored to your circumstances.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Jun 2018 @ 1:36pm

        Re: Re: Maybe a stupid question

        You are assuming that the sites income is more than enough to be able to pay the attorney.

        link to this | view in chronology ]

        • icon
          NeghVar (profile), 19 Jun 2018 @ 2:15pm

          Re: Re: Re: Maybe a stupid question

          One way to mitigate the issue is to apply an IP filter to your firewall that blocks all non-US IP addresses. This is not 100%, but it will make an impact without high costs.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 19 Jun 2018 @ 7:08pm

            Re: Re: Re: Re: Maybe a stupid Firewall

            If this is a serious suggestion, I am not familiar with the IP range of Europe, or how to firewall a website.

            link to this | view in chronology ]

            • icon
              PaulT (profile), 20 Jun 2018 @ 1:35am

              Re: Re: Re: Re: Re: Maybe a stupid Firewall

              Therein lies one of the major issues. An individual may be liable, but genuinely have no idea of how to avoid liability without hiring the services of a professional - services which they may not be able to afford, so choose to not speak rather than risk liability.

              As for your question, it genuinely depends on which software you're using and how thorough you want to be. There are ways to blacklist, software like Wordpress provides plugins which make it easy, else you might be better off asking your hosting provider. All details you need are easy to search for if you are running your own platform.

              The biggest problem with doing this is that IP geolocation data is not always accurate, so you might inadvertently ban some non-EU members. Plus, of course, users can always fake their IP or use a VPN and I'm not sure what the implications are if they do that - I presume you'd not be liable if a user is lying to you or you collect data while they're physically in the US, but you never know with this kind of thing.

              link to this | view in chronology ]

    • identicon
      SirWired, 19 Jun 2018 @ 5:55pm

      Re: Maybe a stupid question

      The ability of the EU govt to enforce an EU regulation against a company with nobody and nothing in the EU to sue or seize is pretty limited.

      link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 19 Jun 2018 @ 6:25pm

    Say it with me class...

    Power causes a form of brain damage.

    The like to pretend the internet is subject to their rule & only they have the right to say what is right or wrong.
    Maybe if they spent less time trying to police the internet & more time looking at the chaos they are causing their citizens they would be afraid of being replaced.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Jun 2018 @ 10:49pm

      Re:

      As the Internet is the means by which people could organize themselves to replace those in power, they want to be able to police it to prevent that happening.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jun 2018 @ 7:48pm

    Premise is all sites get personal info -- only true if mercenary

    Meaning want MONEY. You can put out your views for free and not gather any info at all, without least trouble.

    BUT as one comment nearly got to: when you expect to gain money from the site and collect personal info of "users" in order to gain money, even indirectly from your "friend" Google splattering advertising all over everyone's screen and tracking them over teh internets, then you become a business, and deserve to be regulated.

    Money changes everything.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Jun 2018 @ 2:49am

      Re: Premise is all sites get personal info -- only true if mercenary

      Thanks for getting the government to regulate everybody, blue boy. Because of your precious copyrights.

      You jackass.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Jun 2018 @ 10:35pm

    "Why would anyone set up a Facebook page..."
    I really don't know, placing your business in the hands of a 3rd party, helping zuckerbergs Man in the Middle attack on the internet.
    Oh in the context of GDPR, well the text says it applies to personal data about EU natural persons. Why would it matter the treason you collect data, it's still there and still needs protecting (from poor storage or from being sold).

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Jun 2018 @ 1:55am

    How does GDPR work against human memory and the right to be forgotten?

    link to this | view in chronology ]

  • identicon
    Yes, I know I'm commenting anonymously, 20 Jun 2018 @ 4:00am

    e-mail / phone contact-lists too

    Now the GDPR also applies to your contact-lists in your phone and mail-reader.
    Everyone in the EU needs to get all your friends, collegues and others in to give their permission to retain their phone-number and/or e-mail adress.

    On the plus-side, it will bring down the percentage of webtraffic that is spam (slightly ;)

    link to this | view in chronology ]

    • identicon
      carlb, 20 Jun 2018 @ 6:35am

      Re: e-mail / phone contact-lists too

      On the plus-side, it will bring down the percentage of webtraffic that is spam (slightly ;)

      Or not.

      Don't you know? All Internet spam is sent by wealthy Nigerian princes.

      link to this | view in chronology ]

  • icon
    Ninja (profile), 20 Jun 2018 @ 4:46am

    Wow, what a huge mess. I'm fairly sure the always well intended law makers in the EU didn't expect this outcome. It will be delightful to see the shitshow the GDPR will produce. Maybe then it'll serve as a case-study of why we should 1- think of unintended consequences before "doing something", 2- listen to all those who may be affected positively or negatively to have a balanced set of viewpoints and 3- think about "what if I were in the receiving end of this law because privacy/accepted speech/societal norm was not my own or I didn't agree with?".

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.